Deep Malware Analysis

Automatically analyse Malware in a Depth previously not possible!

Joe Sandbox is a multi technology platform which uses instrumentation, simulation, hardware virtualization, hybrid and graph - static and dynamic analysis. Rather than focus on one technology Joe Sandbox combines the best parts of multiple techniques. This enables deep analysis, excellent detection and big evasion resistance.

Hypervisor based Inspection

Hypervisor based Inspection (HBI) uses latest hardware virtualization technologies of modern CPUs, to place stealth break points anywhere in the operating system or malware code. Stealth breakpoints capure information about any API being called, no matter if it is in usermode or kernelmode. Further HBI enables security experts to trace any cross module calls and trace other sensitive events, like debug register modification, cpuid instuction execution and many others. HBI is fully stealth and malware cannot detect its presence. HBI is not tied to a specific hypervisor such as KVM or XEN and can run even on bare metal machines. HBI is fully configurable by our customers.

Dynamic Generic Instrumentation

Dynamic Generic Instrumentation (DGI) modifies codes in order to log and change runtime information. DGI allows users to control API, method and function calls including complex arguments, return values as well as object values. Beside the deep inspection of runtime data, DGI is an excellent technique to fight evasion such as sleeps, logic bombs or environment checks. DGI enables the analyst to fully modify or fake arguments, return values as well as the status of objects. Further DGI is stealthy and very hard to detect by malware. Second only to instruction traces, DGI captures the most fine-grained dynamic information possible. DGI enables cyber security pros to provide their own custom instrumentation hooks.

Hybrid Code Analysis

Hybrid Code Analysis (HCA) combines dynamic and static program analysis while retaining the main benefits of both techniques: context awareness, resilience against code obfuscation such as packing and self-modifying code on the one hand, and code analysis completion on the other hand. It makes possible to understand evasions against malware analysis systems including sleeps, logic bombs and system fingerprinting. Moreover, it allows discovering hidden behavior – dormant functionality which is executed only under rare conditions. Hybrid Code Analysis enables security professionals to understand the complete malware behavior, not just the installation.

Adaptive Internet Simulation

AIS acts as a configurable firewall between the Joe Sandbox malware analysis system and the Internet. AIS is smart! It monitors network traffic and decides which packets to let through, and which ones to block.

With this unique technology, AIS prevents leakage of sensitive system information, such as ids and hardware tokens. In addition, AIS provides powerful features such as user-controlled DNS answers and faking HTTP POST answers.

Analyzing a sample in Joe Sandbox using AIS technology, provides an in-depth view of the malware behavior without the risks of unlimited internet access.

Extensive Behavior Signature Set

Joe Security has one of the most extensive generic Behavior Signature set. The set consisting of over 1554+ signatures covers multiple platforms including Windows, Android, Mac OS X and iOS. Behavior Signatures help detecting, classifying and summarizing malicious behavior, dangerous code and evasions. Joe Sandbox applies each signature to an enormous amount of captured data, ranging from operating system to network, browser, memory, file, binary and screen data.

Cookbooks

While Hybrid Code Analysis and behavior signatures detect evasive threats, Cookbooks enable users to easily influence and change the malware's behavior automatically. With Cookbooks, security professionals can change the environment, simulate operating system events or modify the operating system behavior. Cookbooks provide the opportunity to completely customize the analysis procedure including malware startup, analysis duration and analysis chaining on multiple systems. The Cookbook technology makes Joe Sandbox the most flexible and customizable malware analysis system in the industry.